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Abstract. In a seminal paper from 1985, Sistla and Clarke showed that the model-checking 
problem for Linear Temporal Logic (LTL) is either NP-complete or PSPACE-complete, de- 
pending on the set of temporal operators used. If, in contrast, the set of propositional op- 
erators is restricted, the complexity may decrease. This paper systematically studies the 
model-checking problem for LTL formulae over restricted sets of propositional and temporal 
operators. For almost all combinations of temporal and propositional operators, we deter- 
mine whether the model-checking problem is tractable (in P) or intractable (NP-hard). We 
then focus on the tractable cases, showing that they all are NL-complete or even logspace 
solvable. This leads to a surprising gap in complexity between tractable and intractable 
cases. It is worth noting that our analysis covers an infinite set of problems, since there are 
infinitely many sets of propositional operators. 



1 Introduction 

Linear Temporal Logic (LTL) has been proposed by Pnueli [Pnu77] as a formal- 
ism to specify properties of parallel programs and concurrent systems, as well as 
to reason about their behaviour. Since then, it has been widely used for these pur- 
poses. Recent developments require reasoning tasks — such as deciding satisfiability, 
validity, or model checking — to be performed automatically. Therefore, decidability 
and computational complexity of the corresponding decision problems are of great 
interest . 

The earliest and fundamental source of complexity results for the satisfiability 
problem (SAT) and the model-checking problem (MC) of LTL is certainly Sistla and 
Clarke's paper [SC85]. They have established PSPACE-completeness of SAT and MC 
for LTL with the temporal operators F (eventually), G (invariantly), X (next-time), 
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U (until), and S (since). They have also shown that these problems are NP-complete 
for certain restrictions of the set of temporal operators. This work was continued 
by Markey [Mar04]. The results of Sistla, Clarke, and Markey imply that SAT and 
MC for LTL and a multitude of its fragments are intractable. In fact, they do not 
exhibit any tractable fragment. 

The fragments they consider are obtained by restricting the set of temporal op- 
erators and the use of negations. What they do not consider are arbitrary fragments 
of temporal and Boolean operators. For propositional logic, a complete analysis 
has been achieved by Lewis [Lew79] . He divides all infinitely many sets of Boolean 
operators into those with tractable (polynomial-time solvable) and intractable (NP- 
complete) SAT problems. A similar systematic classification has been obtained by 
Bauland et al. in [BSS + 07] for LTL. They divide fragments of LTL — determined 
by arbitrary combinations of temporal and Boolean operators — into those with 
polynomial-time solvable, NP-complete, and PSPACE-complete SAT problems. 

This paper continues the work on the MC problem for LTL. Similarly as in 
[BSS + 07], the considered fragments are arbitrary combinations of temporal and 
Boolean operators. We will separate the MC problem for almost all LTL fragments 
into tractable (i.e., polynomial-time solvable) and intractable (i.e., NP-hard) cases. 
This extends the work of Sistla and Clarke, and Markey [SC85, Mar04], but in con- 
trast to their results, we will exhibit many tractable fragments and exactly deter- 
mine their computational complexity. Surprisingly, we will see that tractable cases 
for model checking are even very easy — that is, NL-complete or even L-solvable. 
There is only one set of Boolean operators, consisting of the binary xor-operator, 
that we will have to leave open. This constellation has already proved difficult to 
handle in [BSS + 07, BHSS06], the latter being a paper where SAT for basic modal 
logics has been classified in a similar way. 

While the borderline between tractable and intractable fragments in [Lew79, 
BSS + 07] is quite easily recognisable (SAT for fragments containing the Boolean 
function f(x, y) = xAy is intractable, almost all others are tractable), our results for 
MC will exhibit a rather diffuse borderline. This will become visible in the following 
overview and is addressed in the Conclusion. Our most surprising intractability 
result is the NP-hardness of the fragment that only allows the temporal operator U 
and no propositional operator at all. Our most surprising tractability result is the 
NL-completeness of MC for the fragment that only allows the temporal operators F, 
G, and the binary or-operator. Taking into account that MC for the fragment with 
only F plus and is already NP-hard (which is a consequence from [SC85]), we would 
have expected the same lower bound for the "dual" fragment with only G plus or, 
but in fact we show that even the fragment with F and G and or is tractable. In 
the presence of the X-operator, the expected duality occurs: The fragment with F, 
X plus and and the one with G, X plus or are both NP-hard. 

Table 1 gives an overview of our results. The top row refers to the sets of Boolean 
operators given in Definition 2.3. These seven sets of Boolean operators are all 
relevant cases, which is due to Post's fundamental paper [Pos41] and Lemma 2.2. 
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Table 1. An overview of complexity results for the model-checking problem 



Entries in bold-face type denote completeness for the given complexity class under 
logspace reductions. (All reductions in this paper are logspace reductions <J° g .) The 
entry L stands for logspace solvability All other entries denote hardness results. 
Superscripts refer to the source of the corresponding result as explained in the 
legend. 

This paper is organised as follows. Section 2 contains all necessary definitions 
and notation. In Section 3, we show NP-hardness of all intractable cases, followed 
by Section 4 with the NL-completeness of almost all remaining cases. We conclude 
in Section 5. 

2 Preliminaries 

A Boolean function is a function / : {0, l} n — > {0, 1}. We can identify an n-ary 
propositional function symbol c with the n-ary Boolean function / defined by: 
f(a\, . . . , a n ) = 1 if and only if the formula c(xi, . . . , x n ) becomes true when assign- 
ing eij to Xi for all 1 < i < n. An operator is either a function or a function symbol, 
which becomes clear from the context. Additionally to propositional operators we 
use the unary temporal operators X (next-time), F (eventually), G (invariantly) and 
the binary temporal operators U (until), and S (since). 
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Let B be a finite set of Boolean operators and T be a set of temporal operators. A 
temporal B-formula over T is a formula p that is built from variables, propositional 
operators from B, and temporal operators from T. More formally, a temporal B- 
formula over T is either a propositional variable or of the form f(pi, . . . ,<p n ) or 
g(pi, . . . , fm), where tpi are temporal 5-formulae over T, f is an n-ary propositional 
operator from B and g is an ra-ary temporal operator from T. In [SC85], complexity 
results for formulae using the temporal operators F, G, X (unary), and U, S (binary) 
were presented. We extend these results to temporal S-formulae over subsets of those 
temporal operators. The set of variables appearing in p is denoted by VAR(y>). If 
T = {X, F,G, U,S} we call tp a temporal B-formula, and if T = we call p a 
propositional B-formula or simply a B-formula. The set of all temporal £>-formulae 
over T is denoted with L(T, B). 

A Kripke structure is a triple K = (W,R,rj), where W is a finite set of states, 
R C W x W is a total binary relation (meaning that, for each a G W, there is some 
b eW such that aRb) 1 , and rj : W ^ 2 VAR for a set VAR of variables. 

A model in linear temporal logic is a linear structure of states, which intuitively 
can be seen as different points of time, with propositional assignments. Formally, 
a path p in K is an infinite sequence denoted as (j?o,Pi, ■ ■ ■), where, for all i > 0, 
Pi G W and piRp i+1 . 

For a temporal {A, -i}-formula over {F, G,X, U,S} with variables from VAR, a 
Kripke structure K = (W, R, if), and a path p in K, we define what it means that 
p K satisfies ip in p t (p K ,i 1= (p): let ipi and P2 be temporal {A, -i}-formulae over 
{F, G, X, U, S} and let x G VAR be a variable. 
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Since every Boolean operator can be composed from A and -1, the above definition 
generalises to temporal 5-formulae for arbitrary sets B of Boolean operators. 

This paper examines the model-checking problems MC(T, B) for finite sets B of 
Boolean functions and sets T of temporal operators. 

7 In the strict sense, Kripke structures can have arbitrary binary relations. However, when referring to 
Kripke structures, we always assume their relations to be total. 
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Problem: MC(T, B) 

Input: ((f,K,a), where cp G L(T, B) is a formula, /<" = (W, R, rj) is a 

Kripke structure, and a G W is a state 
Question: Is there a path p in K such that po = a and p^, N </?? 

Sistla and Clarke [SC85] have established the computational complexity of the 
model-checking problem for temporal {A, V, -i}-formulae over some sets of temporal 
operators. 

Theorem 2.1 ([SC85]). 

(1) MC({F},{A, V,-.}) is UP -complete. 

(2) MC({F,X},{A,V,^}) ; MC({U},{A,V,-}) ; and MC({U, S, X}, {A, V, -.}) are 
PSP ACE- complete. 

Since there are infinitely many finite sets of Boolean functions, we introduce some 
algebraic tools to classify the complexity of the infinitely many arising satisfiability 
problems. We denote with id^ the n-ary projection to the k-th variable, where 1 < 
k < n, i.e., id%(xi, . . . ,x n ) = Xk, and with c™ the n-ary constant function defined 
by c"(xi, . . . , x n ) = a. For c\(x) and c\{x) we simply write 1 and 0. A set C of 
Boolean functions is called a clone if it is closed under superposition, which means 
C contains all projections and C is closed under arbitrary composition [Pip97]. For 
a set B of Boolean functions we denote with [B] the smallest clone containing B 
and call B a base for [B] . In [Pos41] Post classified the lattice of all clones and found 
a finite base for each clone. 

The definitions of all clones as well as the full inclusion graph can be found, 
for example, in [BCRV03] . The following lemma implies that only clones with both 
constants 0, 1 are relevant for the model-checking problem; hence we will only define 
those clones. Note, however, that our results will carry over to all clones. 

Lemma 2.2. Let B be a finite set of Boolean functions and T be a set of temporal 
operators. Then MC(T, B U {0, 1}) =£ g MC(T, B). 

Proof. MC(T,B) <'° g MC(T, B U {0,1}) is trivial. For MC(T,S U {0,1}) <£ g 
MC(T, B) let (ip, K, a) be an instance of MC(T, B U {0, 1}) for a Kripke structure 
K = (W, R, rj) and let _L and T be two fresh variables. We define a new Kripke 
structure K' = (W, R, rj') where if (a) = 77(a) U{T} and we define ipf to be a copy of <p 
where every appearance of is replaced by _L and every appearance of 1 by T. It holds 
that (iff, K', a) is an instance of MC(T, B) and that (ip, K, a) G MC(T, B U {0, 1}) 
if and only if (<p', K' , a) G MC(T, B). □ 

Because of Lemma 2.2 it is sufficient to look only at the clones with constants, 
which are introduced in Definition 2.3. Their bases and inclusion structure are given 
in Figure 1. 

Definition 2.3. Let © denote the binary exclusive or. Let f be an n-ary Boolean 
function. 
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(1) BF is the set of all Boolean functions. 

(2) M is the set of all monotone functions, that is, the set of all functions f where 
a 1 <b 1 , ... , a n < b n implies f(a u ...,a n )< f{b u ...,b n ). 

(3) L is the set of all linear functions, that is, the set of all functions f that satisfy 
f(x±, . . . ,x n ) = Co © (ci A Xi) © • • • © (c n A x n ), for constants Ci. 

(4) V is the set of all functions f where f(xi, . . . , x n ) = c Vfcx Axi) V- ■ ■ \/(c n Ax n ), 
for constants q. 

(5) E is the set of all functions f where f(xi, . . . ,x n ) = c A(ciVxi) A- ■ ■ /\(c n V x n ) , 
for constants Ci. 

(6) N is the set of all functions that depend on at most one variable. 

(7) I is the set of all projections and constants. 

There is a strong connection between propositional formulae and Post's lattice. 
If we interpret propositional formulae as Boolean functions, it is obvious that [B] 
includes exactly those functions that can be represented by £?-formulae. This con- 
nection has been used various times to classify the complexity of problems related 
to propositional formulae. For example, Lewis presented a dichotomy for the sat- 
isfiability problem for propositional S-formulae: it is NP-complete if x A y G [B], 
and solvable in P otherwise [Lew79]. Furthermore, Post's lattice has been applied 
to the equivalence problem [ReiOl], to counting [RW05] and finding minimal [RV03] 
solutions, and to learnability [DalOO] for Boolean formulae. The technique has been 
used in non-classical logic as well: Bauland et al. achieved a trichotomy in the con- 
text of modal logic, which says that the satisfiability problem for modal formulae 
is, depending on the allowed propositional connectives, PSPACE-complete, coNP- 
complete, or solvable in P [BHSS06]. For the inference problem for propositional 
circumscription, Nordh presented another trichotomy theorem [Nor05]. 

An important tool in restricting the length of the resulting formula in many of 
our reductions is the following lemma. 

Lemma 2.4. Let B C {A, V, ->}, and let C be a finite set of Boolean functions such 
that B C [C], Then MC(T, B) <J^ g MC(T, C) for every set T of temporal operators. 

Proof. Let D = C U {0, 1}. From Lemmas 1.4.4 and 1.4.5 in [Sch07] we directly 
conclude: Let / be one of the functions or, and, and not such that / G [D]. Let k 
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be the arity of /. Then there is a D-formula tp(x\, . . . , Xk) representing /, such that 
every variable occurs only once in tp. Hence MC(T, B) <J^ g MC(T, CU {0, 1}). From 
Lemma 2.2 follows MC(T, C U {0, 1}) <£ g MC(T, C). □ 

It is essential for this Lemma that B C {A, V, ->}. For, e.g., B = {©}, it is 
open whether MC(T,B) <J^ g MC(T, BF). This is a reason why we cannot im- 
mediately transform upper bounds proven by Sistla and Clarke [SC85] — for ex- 
ample, MC({F, X}, {A, V, ->}) G PSPACE — to upper bounds for all finite sets of 
Boolean functions — i.e., it is open whether for all finite sets B of Boolean func- 
tions, MC({F,X},£) G PSPACE. 

3 The bad fragments: intractability results 

Sistla and Clarke [SC85] and Markey [Mar04] have considered the complexity of 
model-checking for temporal {A, V, -i}-formulae restricted to atomic negation and 
propositional negation, respectively. We define a temporal i?-formula with proposi- 
tional negation to be a temporal 5-formula where additional negations are allowed, 
but only in such a way that no temporal operator appears in the scope of a nega- 
tion sign. In the case that negation is an element of B, a temporal I?-formula with 
propositional negation is simply a temporal U-formula. In [SC85], atomic negation 
is considered, which restricts the use of negation even further — negation is only 
allowed directly for variables. We will now show that propositional negation does 
not make any difference for the complexity of the model checking problem. Since 
this obviously implies that atomic negation inherits the same complexity behaviour, 
we will only speak about propositional negation in the following. The proof of the 
following lemma is similar to that of Lemma 2.2. 

Lemma 3.1. Let T be a set of temporal operators, and B a finite set of Boolean 
functions. We use MC + (T,B) to denote the model- checking problem MC(T, B) ex- 
tended to B -formulae with propositional negation. Then MC + (T, B) =J^ g MC(T, B). 

Proof. The reduction MC(T, B) <J° g MC + (T,B) is trivial. For MC + (T,B) <^ g 
MC(T, B), assume that negation is not an element of B, otherwise there is nothing 
to prove. Let (tp,K,a) be an instance of MC + (T, B), where K = (W,R,rj). Let 
X\ , . . . , x m be the variables that appear in tp, and for each formula of the kind 
-iip(xi, . . . , x n ) appearing in tp, let be a new variable. Note that since only 
propositional negation is allowed in tp, in these cases -0 is purely propositional. 

We obtain K' = (W, R, rj') from K by extending r/ to the variables g^ in such 
a way that is true in a state if and only if ifj(xi, . . . ,x n ) is false. Finally, to 
obtain ip' from ip we replace every appearance of ->ijj{xi, . . . , x n ) with y^. Now, 
tp' is a temporal S-formula. By the construction it is straightforward to see that 
(tp, K, a) G MC + (T, B) iff (tp', K' , a) G MC(T, B). □ 

Using Lemma 2.4 in addition, we can generalise the above mentioned hardness 
results from [SC85, Mar04] for temporal monotone formulae to obtain the following 
intractability results for model-checking. 
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Theorem 3.2. Let M + be a finite set of Boolean functions such that M C [M + ]. 
Then 

(1) MC({F,G,X},M+) is PSPACE-hard. 

(2) MC({F},M+) ; MC({G},M+) ; and MC({X}, M+) are HP-hard. 

(3) MC({U},M + ) andMC({G,X},M+) are PSPACE-hard. 

(4) MC({S,G},M + ) and MC({S, F},M + ) are PSPACE-hard. 

In Theorem 3.5 in [SC85] it is shown that MC({F}, {A, V, ->}) is NP-hard. In 
fact, Sistla and Clarke give a reduction from 3SAT to MC({F}, {A}). The result for 
arbitrary bases B generating a clone above E follows from Lemma 2.4. 

Corollary 3.3. Let E + be a finite set of Boolean functions such that E C [E + ] . 
Then MC({F},£+) is NP-hard. 

The model-checking problem for temporal {G, X}-{A, V}-formulae is PSPACE- 
complete (Theorem 3.23 due to [Mar04]). The Boolean operators {A, V} are a basis 
of M, the class of monotone Boolean formulae. What happens for fragments of M? 
In Theorem 4.3 we will show that MC({G,X},E) is NL-complete, i.e., the model- 
checking problem for temporal {A}-formulae over {G,X} is very simple. We can 
prove that switching from A to V makes the problem intractable. As notation, we 
use LIT(<£>) to denote the literals obtained from variables that appear in tp. 

Theorem 3.4. Let V + be a finite set of Boolean functions such thatV C [V+]. Then 
MC({G,X}, V+) is HP-hard. 

Proof. It suffices to give a reduction from 3SAT to MC({G, X}, {V}) (due to 
Lemma 2.4). A formula tp in 3CNF is mapped to an instance (ijj',K(ip),qx) of 
MC({G, X}, {V}) as follows. Let i/j = C± A . . . A C m consist of m clauses, and 
n = |VAR(-0)| variables. The Kripke structure K(ifj) has states Q = {qi, ■ ■ ■ ,q m } 
containing one state for every clause, a sequence of states P = {P ' \ I G LIT(-0), < 
j < m — 1} for every literal, and a final sink state z. That is, the set of states is 
QUFU {z}. The variables of K(tp) are bi, . . . , b m , c. Variable b a is assigned true in 
a state i° iff literal U is contained in clause C a . In all other states, every bi is false. 
Variable c is assigned true in all states in P U {z}. 

The relation between the states is E\ U E% U E3 U E4 U E§ as follows. It starts 
with the path gi, . . . , q m - E\ = {(qi, Qi+i) \ i = 1, 2, . . . , m — 1}. q m has an edge 
to x1 and an edge to x^: E 2 = {(q m , x®), (q m , ^i)}- Each Z° is the starting point 
of a path 19, 1},..., I™' 1 : E 3 = {(l{,li +1 ) \ k E UT{if>),j = 0, 1, . . . , m - 2}. Each 
endpoint of these paths has both the literals with the next index resp. the final 
sink state as neighbours: E A = {(ZJ"" 1 , | i = 1, 2, . . . , n - 1, k G LIT(^)} U 
{(x™ -1 , z), (a 7 ™ -1 , z)}. The final sink state z has an edge to z itself, E 5 = {(z, z)}. 

Figure 2 shows an example for a formula ip® and the Kripke structure K(ip ). 
Notice that every path in such a Kripke structure K(i(j) corresponds to an assignment 
to the variables in ip. A path corresponds to a satisfying assignment iff for every bi 
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Fig. 2. The Kripke structure K^o) for ipo = (%i V ^£2 V -1X4) A (-11 V13V -1X4) A (-1X2 V xa). 

the path contains a state that 6, is assigned to. We are now going to construct a 
formula ip' to express this property. If we were allowed to use the A in ip', this would 
be easy. But, the formula ip' consists only of operators G, X, V, and of variables 
b\, ... , b m , c. In order to define ip' , we use formulae (pi and defined as follows. For 
i — 1, 2, . . . ,m define 

V x fc ' m " (4_1) ^ • 

fc=l,2,...,n 

Intuitively, says that bi is satisfied in a state in distance rf, where d = m — {i — 1) 
(mod m). The state g.,- is the only state in Q where pj can hold. Every path p in 
has the form p = (qi, q 2 , . . . , q m , l±, ■ ■ ■ , I™ -1 , z,z, . . .). Every state except for z 
appears at most once in p. For the sake of simplicity, we use the notation 
forp^),z-l \= a (for % = 1,2, . . .,m), andp^Vf 1= a for p K( ^\m+(i-l)-m+j \= 
a. We use for a pathp = (gi, g 2 , . . .) in K(V ; ) and 1 < i < m the notation p K ^\ N a 
for p K &\i-l \= a. 

Claim 1. For every path p in K(ip) and 1 < i, j < m holds: If p K ^\qi N ipj, then 
% = j. 

Proof of Claim 1. Assume p K ^\qi t= where 1 < i,j < m. By the definition 
of (pj, it follows that p K< ^\ (j — 1) + k ■ m — (i — 1) 1= for some A; with 1 < A; < n. 
Consider any path p in K(ip). After the initial part {po, . . . ,p m -i) = (gi, . . . , g m ) 
of p follows a sequence (p m , . . . ,p m -{n+i)) of n ■ m states, where Pi = ij^yj m (for 

/ , i\\ mi r id'+fc'TO-i) mod m i(j-i) mod m 

z = m, . . . , m ■ [n + 1)). Therefore, p {i _i) +fc . m _ {i _i) = IY = IV 

for some r (that does not matter here). But p K ^\l™ 1= bj implies w = 0, by the 
definition of K[ip), and therefore (j — i) mod m = 0. Since 1 < i, j < m, it follows 
that j = i. m 

The formulae ip^ are defined inductively for i = m + 1, ... ,2,1 as follows (as 
before, we can use V in our construction): 

ip' m+1 = c and ip ■ = G (cp t V Gip' i+1 ) (for m > i > 1) . 

Finally, ip' — ip' x . 
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It is clear that the reduction function ijj \— > (if)', K(xjj), q±) can be computed 
in logarithmic space. It remains to prove the correctness of the reduction. Using 
Claim 1, we make the following observation. 

Claim 2. For every path p = (q\, q2, . . .) in K(i/j) and i = 1, 2, . . . ,m holds: 
p K ^\ q i (= i/j^ if and only if for j = i,i + 1, . . . ,m holds p K< ^\ qj 1= ipj. 

Proof of Claim 2. The direction from right to left is straightforward. To prove 
the other direction, we use induction. 

As base case we consider i = m. Assume p K< ^\ q m t= G(9? m VGc). By construction 
of K(ip) holds p K< ^\ q m ¥ c, and therefore p K< ^\ q m (= (p m holds. 

For the inductive step, assume p K ^\ qi t= G((piVGip' i+1 ). Claim 1 proves p K< ^\ q t ¥ 
(fj for j ^ i, and with p K ^\qi c we obtain p K ^\qi ¥ Gip' i+1 . This implies 
p K M j q. |= L p i anc i p K W ; |= By the inductive hypothesis, the claim follows. 
■ 

For a path p in K(ip), let ^4 P be the corresponding assignment for tp. It is clear 
that p K< ^\ q i N ifi if and only if A p satisfies clause Cj of "0. Using Claim 2, it follows 
that N , / if and only if A p satisfies all clauses of ip, i.e., A p satisfies ip. 

Using the one-to-one correspondence between paths in K(ip) and assignments to 
the variables of ip we get ip e 3 SAT if and only if (if/, if ft) e MC({G, X}, {V}). 

□ 

From [SC85] it follows that MC({G, X}, V) is in PSPACE. It remains open whether 
MC({G,X}, V) or MC({G,X},M) have an upper bound below PSPACE. 

Next, we consider formulae with the until-operator or the since-operator. We 
first show that using the until-operator makes model-checking intractable. 

Theorem 3.5. Let B be a finite set of Boolean functions. Then MC({U},-B) is 
HP -hard. 

Proof. We give a reduction from 3SAT to MC({U},0). This means, that we do 
not need any Boolean operators in the temporal formula over {U} to which a 3SAT 
instance is mapped. Let ip = C\ A C-i A . . . A C m be a 3CNF formula consisting of m 
clauses and n variables. The structure K(ip) has states {qi, . . . , q m } U LIT(-0) U {s}, 
with initial state q\. The assignment for state qi is { CLlf ■ ■ • ) O/i } (for i = 1, 2, . . . , m), 
and for state U it is {ai, . . . , a m } U {bj | Literal k G LIT (■?/>) appears in clause Cj}. 
In state s, no variable is assigned true. The relation between the states is as follows. 
Each qi (i = 1, 2, . . . , m — 1) has an edge to q i+ i, q m has edges to x± and to x±, each 
li (i — 1, 2, . . . , n — 1) has edges to Xi + i and to Xi+i, and x n and x n have an edge 
to s. s has an edge to s only. Figure 3 gives an example. The following facts are 
easy to verify for any path p in K(ifj). For the sake of simplicity, we use for a path 
p = (qi, q 2 , . . .) in K(ijj) and 1 < i < m the notation p K ^\ q i \= a for p K ^\i — l \= a. 

Fact 1 For 1 < j < i < m holds: p K ^\qj ¥ a^U^ . 

Fact 2 For 1 < % < m holds: 3t : p K ^\t 1= a^bi iff p KW ,qi \= a^bi . 
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b 2 b 3 b 2 

h h 

Fig. 3. Structure K(tf)) for ip = (xi V -1x2 V -124) A (-1X1 V13V ^£4) A (-1X2 V 2:4) 

The formulae <po,(fi, . . . are defined inductively as follows. 

(/?o = 1 and <p i+1 = ipili (a i+1 \Jb i+1 ) . 

The reduction from 3SAT to MC({U}, 0) is the mapping ip \— > (<p m , K(ip), qi), where 
ip is a 3CNF-formula with m clauses. This reduction can evidently be performed in 
logarithmic space. To prove its correctness, we use the following claim. 

Claim 3. Let K(ip) be constructed from a formula ip with m clauses, and let p 
be a path in K{ip). For j = 1,2, ... ,m, it holds that p K< &> , q± N (fj if and only if 
p K ^\ qi t= and p K ^\ qj N ^1% . 

Proof of Claim 3. We prove the claim by induction. The base case j — 1 is 
straightforward: p KW ,qi N 1 U(aiU6i) is equivalent to 3t : p K ^\t N (aiU&i) which 
by Fact 2 is equivalent to p KW ,qi \= ai U&i. The inductive step is split into two 
cases. First, assume p K ^\qi \= ^j+i- Since = (pj\J(a,j+i[)bj + i), it follows that 
3t : p K ^\t \= Oj+iUbj+i. Using Fact 2, we conclude p K ^\qj+i N a J+ iU6j + i. By 
Fact 1, p K w\ qi ¥■ a J+ iU6j + i. By the initial assumption, this leads to p K w\ q l 1= 
Second, assume p K ^\qi N ^ and p K ^\qj+\ 1= aj +1 U6 J+ i. Using the induction 
hypothesis, we obtain jU6.j for z = 1, 2, . . . , j + 1. By the construction of 

ipj + i we immediately get 

We have a one-to-one correspondence between paths in K(tp) and assignments 
to variables of ip. For a path p we will denote the corresponding assignment by A p . 
Using Claim 3, it is easy to see that the following properties are equivalent. 

1. A p is a satisfying assignment for ip. 

2. Path p in K(ip) contains for every t = l,2,...,ma state with assignment 6j. 

3. p KW ,qi \= diVbi for i = 1,2,..., m. 

4. p K M, qi \=<p m . 

This concludes the proof that ip G 3SAT if and only if ((p m , K(ip), qi ) G MC({U}, 0). 

□ 

Although the until-operator and the since-operator appear to be similar, model- 
checking for formulae that use the since-operator as only operator is as simple as 
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for formulae without temporal operators — see Theorem 4.6. The reason is that the 
since-operator has no use at the beginning of a path of states, where no past exists. 
It needs other temporal operators that are able to enforce to visit a state on a path 
that has a past. 

Theorem 3.6. Let B be a finite set of Boolean functions. Then MC({X, S}, B) and 
MC({G,S},5) are HP-hard. 

Proof. We give a reduction from 3SAT to MC({G, S}, 0) that is similar to that in 
the proof of Theorem 3.5 for MC({U},0). Let -0 be an instance of 3SAT, and let 
K(ip) be the structure as in the proof of Theorem 3.5. From K(ip) = (W, R, n) we 
obtain the structure H((p) = (W, R', n') as follows. First, we add a new state t, i.e., 
W = W U {£}. Second, replace R by its inverse R^ 1 = {(v,u) \ (u,v) G R} from 
which the loop at state s is removed. The state s has in-degree and will be seen 
as initial state of H(ip). The new state t will be used as sink state. Therefore, we 
add the arcs (qi,t) and (t, t). This results in R 1 = (i?" 1 — {(s,s)}) U {(qi,t), (t, t)}. 
Finally, we add a new variable e that is true only in state t, and a variable d that 
is true in states LIT(f/>) U {s}. For all other variables, r( is the same as 77. (Figure 4 
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Fig. 4. Structure for ip = (x'i V -^x 2 V -1X4) A (-1x1 V13V -1X4) A (^x 2 V 24) 

shows an example.) 

The formulae (p™, if™, . . . , v^m+i are defined inductively as follows. 

p>Z+i = d and v?™ = ((aiS&O S for i = 1, 2, . . . , m. 

The reduction from 3SAT to MC({G, S}, 0) is the mapping ip ^ (G(eS^f), H^), a), 
where ^ is a 3CNF-formula with m clauses. This reduction can evidently be per- 
formed in logarithmic space. To prove its correctness, we use the following claim. 
Every path p = (s, l n , . . . q m , . . . , q±, t, t, . . .) in H(ijj) that begins in state s corre- 
sponds to an assignment A p = {h, . . . , l n } to the variables in ifi, that sets all literals 
to true that appear on p. For the sake of simplicity, we use the notation 
for p H W) ,n + m — i + lNa. 
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Claim 4. Let H(ip) be constructed from a formula ip = C±A . . ,AC m with m clauses, 
and let p — (s, l n , . . . , h, q m , . . . ,qi,t,t, . . .) be a path in H(ifj). For j = 1,2, ... ,m 
it holds that 

if and only if the assignment A p satisfies clauses Cj, . . . , C m . 

Proof of Claim 4. Notice that A p satisfies clause Cj if and only if p contains a 
state w with bj G tj'(w). We prove the claim by induction. Since the variable d holds 
in all predecessors of q m in p but not in q m , it follows that </?™ = (a m Sb m )Sd holds in 
q m iff a m S6 m holds in q m . Since 6 m ^ v'ilm), it follows that a m S6 m holds in q m iff 6 m 
holds in a predecessor of q m iff *4 P satisfies C m . This completes the base case. For the 
inductive step, notice that p H ^\ qj \= tp™ iff p H ^\ qj \= ajSbj and p H w> , qj +1 N (pj+i. 
By the construction of H(ip) it follows that jSbj iff A p satisfies Cj, and 

the rest follows from the induction hypothesis. ■ 

Finally, let ip be a 3CNF formula, and let p = (s, /„, . . . ,h, q m , ■ ■ ■ , Qi,t, t, . . .) 
be a path in H(ifj). On the first n + 1 states of p, the variable (i holds. Therefore, 
tp™ and henceforth eS<^™ is satisfied in all these states. On the m following states 
q m ,...,qi, neither d nor e holds. Notice that p H ^\qi \= y?™ iff P H ^\li ^ Vi^i 
(for z = 2, 3, . . . ,m). By Claim 4, c/?™ and henceforth eS</>™ is satisfied in all these 
states iff A p satisfies ip. On the remaining states, only the variable e holds. Hence, 
eStp™ is satisfied in all the latter states iff A p satisfies ip. Concluding, it follows that 
p H W,0N G(eS^) iff A p satisfies i/>. Since for every assignment to tp the structure 
H(ifj) contains a corresponding path, the correctness of the reduction is proven. □ 

The future-operator F alone is not powerful enough to make the since-operator 
S NP-hard: We will show in Theorem 4.7 that MC({F,S},S) for [B] C V is NL- 
complete. But with the help of -> or A, the model-checking problem for F and S 
becomes intractable. 

Theorem 3.7. Let N + be a finite set of Boolean functions such that N C [N + ]. 
Then MC({F, S}, A^+) is HP-hard. 

Proof. By Lemma 2.4 it suffices to give a reduction from 3SAT to MC({F, S}, j -1 }). 
For a 3CNF formula V, let (G(eSc^), H(ip), s) be the instance of MC({G, S}, 0) as 
described in the proof of Theorem 3.6. Using Ga = -iF-ioj, it follows that G(eS(/J™) = 
-iF(-i(eS</9™)), where the latter is a N-formula over {F,S}. The correctness of the 
reduction the same line as the proof of Theorem 3.6. □ 

Theorem 3.8. Let B be a finite set of Boolean functions. Then MC({X, S}, B) is 
NP-hard. 

Proof. To prove NP-hardness, we give a reduction from 3SAT to MC({X, S}, 0). 
For a 3CNF formula ip, let H(ifj) be the structure as described in the proof of 
Theorem 3.6. The reduction function maps ip to (X n+m+1 (pi,H(if)),s). The X n+m+1 
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"moves" to state q\ on any path in H(ijj). The correctness proof follows the same 
line as the proof of Theorem 3.6. □ 



An upper bound better than PS PACE for the intractable cases with the until- 
operator or the since-operator remains open. We will now show that one canonical 
way to prove an NP upper bound fails, in showing that these problems do not have 
the "short path property", which claims that a path in the structure that fulfills 
the formula has length polynomial in the length of the structure and the formula. 
Hence, it will most likely be nontrivial to obtain a better upper bound. 

We will now sketch such families of structures and formulae using an inductive 
definition. Let G^G^,--- be the family of graphs presented in Figures 5 and 6. 
Notice that Gi is inserted into G i+ i using the obvious lead-in and lead-out arrows. 
The truth assignments for these graphs £1X6 cLS follows: 
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truth assignment from Gi,b i+ i 


follows: 




and 


<p i+ i = ((a i+ iU^)U&i + i)Uc i+ i. 



Now the formulae are defined as follows: 
(pi = (aiUfei)Uci, 

The rough idea behind the construction is as follows: To satisfy the formula ipi 
in Gi, the path has to repeat the circle once. In the inductive construction, this 
leads to an exponential number of repetitions. 



4 The good fragments: tractability results 

This subsection is concerned with fragments of LTL that have a tractable model- 
checking problem. We will provide a complete analysis for these fragments by proving 
that model checking for all of them is NL-complete or even solvable in logarithmic 
space. This exhibits a surprisingly large gap in complexity between easy and hard 
fragments. 

The following lemma establishes NL-hardness for all tractable fragments. 
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Lemma 4.1. Let B be a finite set of Boolean functions. Then MC({F}, .B), 
MC({G},£), andMC({X},B) are UL-hard. 

Proof. First consider MC({F}, B). We reduce the accessibility problem for digraphs, 
GAP, to MC({F},0). The reduction is via the following logspace computable func- 
tion. Given an instance (G, a, b) of GAP, where G = (V, E) is a digraph and a,b G V, 
map it to the instance (Fy,K(G),a) of MC({F},0) with K(G) = (V,E + ,rj), where 
E + denotes the reflexive closure of E, and r\ is given by r)(b) = {y} and rj(v) = 0, 
for all v G V — {b}. It is immediately clear that there is a path from a to b in G if 
and only if there is a path p in K{G) starting from a such that p K ( G \ N Fy. 

For MC({X}, B), we use an analogous reduction from GAP to MC({X},0). Given 
an instance (G,a,b) of GAP, where G = (V,E), transform it into the instance 
(Xl y ly, K(G), a) of MC({X}, 0) with the Kripke structure K(G) from above. Now it 
is clear that there is a path from a to b in G if and only if there is a path of length 
\V\ from a to b in the reflexive structure K(G), if and only if there is a path p in 
K(G) starting from a such that p K( - G \ N X'^'y. 

Now consider MC({G}, B). We reduce the following problem to MC({G}, 0). Given 
a directed graph G = (V, E) and a vertex a G V, is there an infinite path in G 
starting at a? It is folklore that this is an NL-hard problem (see Lemma A.l in the 
Appendix). Given an instance (G, a) of this problem, transform it into the instance 
(Gy,K'(G),a) of MC({G},0), where K'(G) = (V',E',rj). Here V = V {v | v G 
V, v has no successor in V}, E' — E U {(v,v), (v,v) \ v G V'}, rj(v) = y for all 
v G V, and 77(C) = 0, for all v G V. It is immediately clear that there is an infinite 
path in G starting at a if and only if there is a path p in K'(G) starting from a such 
that p K '( G \0 \= Gy. □ 

It now remains to establish upper complexity bounds. Let C be one of the clones 
N, E, V, and L, and let B be a finite set of Boolean functions such that [B] C C. 
Whenever we want to establish NL- membership for some problem MC(-, B), it will 
suffice to assume that formulae are given over one of the bases {->, 0, 1}, {A,0, 1}, 
{V, 0, 1}, or {©,0,1}, respectively. This follows since these clones only contain con- 
stants, projections, and multi-ary versions of not, and, or, and ©, respectively. 

Theorem 4.2. Let N_ be a finite set of Boolean functions such that [N_] C N. 
Then MC({F, G, X}, AL) is HL-complete. 

Proof. The lower bound follows from Lemma 4.1. For the upper bound, first note 
that for an LTL formula ip the following equivalences hold: FF-0 = Fifi, GGi/j = Gip, 
FGF-0 = GFip, GFGip = FGip, Gi/j = -iF-nft, and Ftp = -iG-np. Furthermore, it 
is possible to interchange X and adjacent G-, F-, or -i-operators without affecting 
satisfiability. Under these considerations, each formula tp G L({F, G,X}, iV_) can be 
transformed without changing satisfiability into a normal form cp' = X m P ~ y, 
where P is a prefix ranging over the values "empty string", F, G, FG, and GF; m is 
the number of occurrences of X in ip\ ~ is either the empty string or -1; and y is a 
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variable or a constant. This normal form has two important properties. First, it can 
be represented in logarithmic space using two binary counters a and b. The counter 
a stores m, and b takes on values 0, . . . , 9 to represent each possible combination 
of P and ~. Note that a takes on values less than \ip\, and b has a constant range. 
Hence both counters require at most logarithmic space. It is not necessary to store 
any information about y, because it can be taken from the representation of ip. 

Second, ip' can be computed from tp in logarithmic space. The value of a is 
obtained by counting the occurrences of X in ip, and b is obtained by linearly parsing 
(p with the automaton that is given in Figure 7, and which ignores all occurrences 
of X. 




Fig. 7. An automaton that computes P~ 



The state of this automaton at the end of the passage through ip determines the 
values of P and ~ in ip. Now let <p be an L({F, G, X}, A r _)-formula, K = (W,R,r)) 
a Kripke structure and a £ W. If y is constant, the problem is trivial, therefore it 
remains to consider the case where y is a variable. According to the possible values of 
P and ~ in tp, there are ten cases to consider. We only present the argumentation for 
those five in which ~ is empty. (For the dual cases, kindly replace each occurrence 
of "£ rj(b)" by 77(b)".) In the following list, we assume that m = 0. As per 
explanation below, this is not a significant restriction. 

P is empty Then (ip, K, a) £ MC({F, G, X}, N_) if and only if there is a state b in 

K accessible from a via R such that y £ rj(b). 
P = F In this case we have to check whether there is a state b £ W that can be 

reached from a via R, and y £ r]{b). 
P = G We define W = {b £ W | y £ r)(b)} and R' = R n W x W. It holds that 

(<p, K, a) £ MC({F, G, X}, N-) if and only if there is some b £ W such that b is 

accessible from a via R' and b belongs to a cycle in R'. 
P = FG We can reduce this case to the previous one: {ip, K, a) £ MC({F, G, X}, 7V_) 

if and only if there is some b £ W that can be reached from a via R, and 

(Gy,iv,&)£MC({F,G,X},AL). 
P = GF We have to check whether there exists some b £ W that can be reached 

from a via R such that y £ 77(6) and belongs to a cycle. 
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Since the questions whether there is a path from any vertex to another and whether 
any vertex belongs to a cycle in a directed graph can be answered in NL, all pre- 
viously given procedures are NL-algorithms. The restriction m = is removed by 
the observation that (X m P~?/, K, a) G MC({F, G, X}, AL) if and only if there exists 
some state b in K that is accessible from a in m i?-steps such that (P~y, K, b) G 
MC({F, G, X}, AL). This reduces the case m > to m = 0. 

Hence we have found an NL-algorithm deciding MC({F, G, X}, AL): Given (ip, K, a), 
compute ip', guess a state b accessible from a in m i2-steps, apply the procedure of 
one of the above five cases to (</?', K, a), and accept if the last step was successful. □ 

Theorem 4.3. (1) Let V- be a finite set of Boolean functions such that [VJ\ C V. 

Then MC({F, X}, VJ) is NL- complete. 
(2) Let E- be a finite set of Boolean functions such that [EJ\ C E. 
Then MC({G, X}, EJ) is UL-complete. 

Proof. The lower bounds follow from Lemma 4.1. 

First consider the case [VJ\ C V. It holds that F(-0 1 V- ■ -\/ip n ) = F^V- • -\/Fip n as well 
as XFip = FXtp and X(ip\/ip) = X^VX-0. Therefore, every formula if G L({F,X}, V-) 
can be rewritten as 

ip' = FX* 1 ?/! V • • • V FX in y n V X^y n+1 V • • • V X im y m , 

where yi, ■ ■ ■ ,y m are variables or constants (note that this representation of ip can 
be constructed in L). Now let (ip,K,a) be an instance of MC({F, X}, V-), where 
K = (W, R, 77), and let <p be of the above form. Thus, (<p, K, a) G MC({F, X}, V-) if 
and only if for some j G {n + 1, . . . , m}, there is a state b G W such that yj G rj(b) 
and b is accessible from a in exactly ij i?-steps or if, for some j G {1, . . . , n}, there 
is a state b G W such that yj G rj(b) and b is accessible from a in at least ij i?-steps. 
This can be tested in NL. 

As for the case [E-] C E, we take advantage of the duality of F and G, and A and 
V, respectively. Analogous considerations as above lead to the logspace computable 
normal form 

<p' = GX^ yi A ■ ■ ■ A GX^y n A X l ^y n+l A ■ ■ ■ A X^y m . 

Let I = max{zi, . . . , i m }. For each j — 1, . . . ,m, we define — {b G W \ yj G r}(b)} 
and R j = Rf] W j x H^- 2 . Furthermore, let W be the union of W j for j = 1, . . . ,n 
(!), and let R' = ROW' x W. Now (tp, K, a) G MC({G, X}, EJ) if and only if there 
is some state b G W satisfying the following conditions. 

— There is an i?-path p of length at least / from a to b, where the first I + 1 states 
on p are cq = a, ci, . . . , cj. 

— The state b 1 lies on a cycle in W'. 

— For each j — 1, . . . , n, each state of p from Cj. to c/ is from 
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— For each j — n + 1, . . . , m, the state is from W J '. 

These conditions can be tested in NL as follows. Successively guess Ci, . . . ,Cf and 
verify their membership in the appropriate sets WK Then guess b, verify whether 
b G W, whether b lies on some i?'-cycle, and whether there is an .R'-path from cr to 
b. □ 

In the proof of Theorem 4.3, we have exploited the duality of F and G, and V and 
A, respectively. Furthermore, the proof relied on the fact that F and V (and G and A) 
are interchangeable. This is not the case for F and A, or G and V, respectively. Hence 
it is not surprising that MC({F}, {A}) is NP-hard (Corollary 3.3). However, the NL- 
membership of MC({F, G}, {V}) is surprising. Before we formulate this result, we 
try to provide an intuition for the tractability of this problem. The main reason is 
that an inductive view on L({F, G}, {V})-formulae allows us to subsequently guess 
parts of a satisfying path without keeping the previously guessed parts in memory. 
This is possible because each L({F, G}, {V})-formula p can be rewritten as 

ip = yi V • • • V y n V F Zl V • • • V Fz m V G^i V • • • V G^£ V FG^£+i V • • • V FG^ fc , (1) 

where the yi, are variables (or constants), and each ipi is an L({F, G}, {V})-formula 
of the same form with a strictly smaller nesting depth of G-operators. Now, p> is true 
at the begin of some path p iff one of its disjuncts is true there. In case none of the 
yi or Fzi is true, we must guess one of the Gipi (or FGipj) and check whether ipi (or 
ipj) is true on the entire path p (or on p minus some finite number of initial states). 
Now ipi is again of the above form. So we must either find an infinite path on which 
y l V • • ■ V y n V Fzi V ■ ■ ■ V Fz m is true everywhere (a cycle containing at least \N\ 
states satisfying some yi or Zi suffices, where N is the set of states of the Kripke 
structure), or we must find a finite path satisfying the same conditions and followed 
by an infinite path satisfying one of the Gipi (or FG^) at its initial point. Hence we 
can recursively solve a problem of the same kind with reduced problem size. Note 
that it is neither necessary to explicitly compute the normal form for ip or one of 
the ipi, nor need previously visited states be stored in memory. 

Theorem 4.4. Let V_ be a finite set of Boolean functions such that [VI] C V. Then 
MC({G},V_) and MC({F,G},V_) are NL- complete. 

Proof. The lower bound follows from Lemma 4.1. It remains to show N L- membership 
of MC({F, G}, V_). For this purpose, we devise the recursive algorithm MC{f,g},v as 
given in Table 2. Note that we have deliberately left out constants. This is no re- 
striction, since we have observed in Lemma 2.2 that each constant can be regarded 
as a variable that is set to true or false throughout the whole Kripke structure. 

The parameter mode indicates the current "mode" of the computation. The idea 
is as follows. In order to determine whether ip is satisfiable at the initial point of 
some structure starting at a in K, the algorithm has to be in mode now. This, hence, 
is the default setting for the first call of MC{f,g},v- As soon as the algorithm chooses 
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Algorithm MC{f,g},v 

Input ip G L({F, G}, V-) 

Kripke structure K = (W, R, rf) 
a£W 

additional parameter mode £ {now, always} 
Output accept or reject 

1: c <— 0; ij) «— 6 <— a; Ffound <— false 

2: while c < |W| do 

3: if -0 = Qo V ai (for some ao,ai) then 

4: guess i £ {0, 1} 

5: tp <— a, 

6: else if ^> = Fa (for some a) then 

7: Ffound <— true 

8: tp <— a 

9: else /* ij) is some Ga or a variable */ 

10: if Ffound then /* process encountered F */ 

11: guess n with < n < |W| 

12: for i = 1, 2, . . . , n do /* if n = 0, ignore this loop */ 

13: b <— guess some _R-successor of 6 

14: end for 

15: end if 

16: if ip = Ga (for some a) then 

17: call MC{f,g},v(o!; K, b, always) 

18: else /* ip is a variable */ 

19: if -0 ^ 77(6) then 

20: reject 

21: end if 

22: if mode = always then 

23: c^c + 1 

24: b <— guess some _R-successor of b 

25: Ffound ^ false 

26: V <~ V 

27: else 

28: accept 

29: end if 

30: end if 
31: end if 
32: end while 
33: accept 

Table 2. The algorithm MC {F , G} , V 



19 



to process a G-subformula Ga of tp, it has to determine whether a is satisfiable at 
every point in some structure starting at the currently visited state in K. It therefore 
changes into always mode and calls itself recursively with the first parameter set to 
a, see Line 17. 

Hence, given an instance (tp,K,a) of the problem MC({F, G}, VI), we have to 
invoke MC{f,g},v(v 9 i K-i a i now) in order to determine whether there is a satisfying path 
for tp in K starting at a. It is easy to see that this call always terminates: First, 
whenever the algorithm calls itself recursively, the first argument of the new call is a 
strict subformula of the original first argument. Therefore there can be at most \tp\ 
recursive calls. Second, within each call, each passage through the while loop (Lines 
2-32) either decreases tp or increases c. Hence, there can be at most \tp\ ■ (\W\ + 1) 
passages through the while loop until the algorithm accepts or rejects. 

MC{f,g},v is an NL algorithm: The values of all parameters and programme vari- 
ables are either subformulae of the original formula (p, states of the given Kripke 
structure K, counters of range 0, . . . , | W\ + 1, or Booleans. They can all be repre- 
sented using ["log | | ~|, |~log(|W| + 1)], or constantly many bits. Furthermore, since 
the algorithm uses no return command, the recursive calls may re-use the space 
provided for all parameters and programme variables, and no return addresses need 
be stored. 

It remains to show the correctness of MC{f,g},v ; which we will do in two steps, 
in always mode, which will be shown by induction on the nesting depth of the G- 
operator in p. We denote this value by ^g{<p). Claim 6 will then ensure the correct 
behaviour in now mode. 

Claim 5. For each tp G L({F, G}, V), each K = (W, R,rj), and each a eW: 
(Gtp, K, a) G MC({F, G}, V_) there is an accepting run of 

MC{f,g},v(v 9 , K, a, always). 

Proof of Claim 5. For the base case of the induction, let ^g(<p) = 0. Because of 
the equivalences F(ipx V ^2) = Ftpi V Fip2 and FFip = Ftp, we may assume w.l.o.g. 
that any occurrence of the F-operator is in front of some variable in tp. If we think 
of tp as a tree, this means that F-operators can only occur in direct predecessors of 
leaves. Note that the algorithm computes this normal form implicitly: Whenever it 
guesses a path from the root (tp) to some leaf (a variable) in the tree and encounters 
an F-operator in Line 6, the flag F found is set. Only after processing all V-operators 
on the remaining part of the path, the F-operator is processed in Lines 10-15. Now 
let VARi(^) be all variables that occur in the scope of an F-operator in tp, and let 
VAR (y?) be all other variables in tp. 

For the direction, suppose (Gtp,K,a) G MC({F, G}, V_). Then there exists a 

path p in K such that p = a, and for all i > 0, p K , i N tp. This means that, for 
each i, either there exists some Xi G VAR (v?) such that p K , i N ^, or there is some 
Xi G VAR 1 ((yj) such that p K , i N Fx«. Now it can be seen that there is a non-rejecting 
sequence of runs through the while loop in Lines 2-32 after which c has value \ W\ + 1, 
which then leads to the accept in Line 33: 
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Consider the begin of an arbitrary single run through the while loop in Line 2. 
Let pi be the current value of b. If Xi G VARo (<£>), then the algorithm can "guess its 
way through the tree of p" in Lines 3-5 and finally reaches Line 19 with ip = xi. 
It does not reject in Line 20, increases c in Line 23, guesses pi+\ in Line 24, and 
resets Ffound and ip appropriately in Lines 25, 26. Otherwise, if x^ G VARx (if), then 
there is some n > such that pj +n satisfies Xj. It is safe to assume that n < \W\ 
because otherwise the path from to Pi +n would describe a cycle within K which 
could be replaced by a shorter, more direct, path without affecting satisfiability of 
the relevant subformulae in the states po, ■ ■ ■ ,Pi- Now the algorithm can proceed as 
in the previous case, but, in addition, it has to guess the correct value of n and the 
sequence Pi+i, . . . ,Pi+ n in Lines 10-15. 

For the direction, let there be an accepting run of MC^g^v^i a i always). 

Since the algorithm is in always mode, and p is G-free, the acceptance can only take 
place in Line 33, without a recursive call in Line 17. Hence the counter c reaches 
value \W\ + 1 in the while loop in Lines 2-32. 

Let p = Po,pi, . . . ,p m be the sequence of states guessed in this run in Lines 13 
and 24, where p = a. Furthermore, let i , . . . ,i\w\+i be an index sequence that 
determines a subsequence of p such that 

— = i < %\ < ■ ■ ■ < = rn, and 

— for each j > 0, pi. is the value assigned to b in Line 24 after having set c to value 
j in Line 23. 

Now it is clear that for all j = 0, . . . , \ W\, there must be a variable Xj such that 
Xj G rj(pi j+1 -i). If Xj G VAR (<y?), then p ij+1 = p^ + 1, and each structure p' extending 
p beyond p m satisfies Xj (and hence tp) at p iy Otherwise Xj G VARx (ip), and the 
accepting run of the algorithm has guessed the states p ip . . . ,Pi j+1 -i in Line 13. In 
this case, each structure p' extending p beyond p m satisfies Fxj (and hence p) at 
Pi., . . . ,Pi- +1 -i- From these two cases, we conclude that each such p' satisfies tp in all 
states po, . . . ,p m . 

We now restrict attention to the states p^-i, ■ ■ ■ ,Pi. w . +1 -\. Among these \W\ + 1 
states, some of the \ W\ states of K has to occur twice. Assume Pi — i and p% k -\ repre- 
sent the same state from K, where j < k. Then we can create an (infinite) structure 
p" from p that consists of states po, . . . ,Pi k ~i, followed by an infinite repetition of 
the sequence p t .,. . . , Pi h ~\- It is now obvious that p" satisfies p in every state, hence 
p", N p, that is, (Gip, K, a) G MC({F, G}, V-). 

For the induction step, let Hq(p) > 0. For the same reasons as above, we can assume 
that any F-operator only occurs in front of variables or in front of some G-operator 
in p. This "normal form" is taken care of by setting Ffound to true when F is found 
(Line 7) and processing this occurrence of F only when a variable or some G-operator 
is found (Lines 10-15). 

For the direction, suppose (Gp,K,a) G MC({F, G}, VJ). Then there exists a 

path p in K such that po = a, and for alH > 0, p K 1= p. We describe an accepting 
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run oi yiC{f t Q} t y(ip, K, a, always). Consider a single passage through the while loop 
with the following configuration. The programme counter has value 2, c has value 
at most \W\, b has value pi, and ip has value tp. Since p K 1= p, there are four possible 
cases. The argumentation for the first two of them is the same as in the base case. 

Case 1. p K , i N x, for some x G VAR (^). 
Case 2. p K ,i N Fx, for some x G VARi(yj). 

Case 3. p , z N Ga, for some maximal G-subformula Ga of </? that is not in the scope 
of some F-operator. 

This means that a is true everywhere on the path Pi,Pi+i,Pi+2, .... Hence, 
due to the induction hypothesis, MC{F,G},v( a 5 K, &j, always) has an accepting 
run. By appropriate guesses in Line 4, the current call of the algorithm can 
reach that accepting recursive call in Line 17. 
Case 4. p , % N Ga, for some maximal G-subformula Go; of p that is in the scope of 
some F-operator. 

By combining the arguments of Cases 3 and 2, we can find an accepting 
run for this case. 

If only Cases 1 or 2 occur more than \ W\ times in a sequence, then c will finally take 
on value \W\ + 1, and this call will accept in Line 31. Otherwise, whenever one of 
Cases 3 and 4 occurs, than the acceptance of the new call — and hence of the current 
call — is due to the induction hypothesis. 

For the " direction, let there be an accepting run of MC{f ) g},v(v ; 'i K-> a i always). 
Since the algorithm is in always mode, the acceptance can only take place in Line 
33 or in the recursive call in Line 17. If the run accepts in Line 33, the same ar- 
guments as in the base case apply. If the acceptance is via the recursive call, then 
let p = p , . . . ,p m be the sequence of states guessed such that p = a, and p m is 
the value of b when the recursive call with Ga takes place. Due to the induction 
hypothesis, (Ga, K,b m ) G MC({F, G}, V-) and, hence, there is an infinite structure 
p' extending p beyond p m such that (p') K ,m \= G(p. Furthermore, we can use the 
same argumentation as in the base case to show that, for each i < m, (p') K ,i \= ip. 
Therefore, (p') K , N Gip, which proves (Gp, K, a) G MC({F, G}, VJ). m 

Claim 6. For each p G L({F, G}, V-), each K = (W, R, rf), and each a G W: 

(p, K, a) G MC({F, G}, VJ) <=>■ there is an accepting run of MC{f,g},v(<^, K, a, now) 

Proof of Claim 6. For the "=$." direction, suppose (p,K,a) G MC({F, G}, VI). 
Then there exists a path p in K such that po = a and p K , 1= p. We describe an 
accepting run of MC{f,g},v(V) a i now). Consider the first passage through the while 
loop with the following configuration. The programme counter has value 2, c has 
value (this value does not change in now mode), b has value a, and ip has value (p. 
Since p K ,0 N p, there are four possible cases. The argumentation for them is very 
similar to that in the proof of Claim 5. 



22 



Case 1. p , N x, for some x G VARo (</?). 

As in the proof of Claim 5, the algorithm can guess the appropriate disjuncts 
in Lines 3-5, does not reject in Line 20 and accepts (it is in now mode!) in 
Line 28. 

Case 2. p K , N Fx, for some x G VARi(^). 

As in the proof of Claim 5, there exists some n with < n < \W\ such that 
b n satisfies Xj. The algorithm can proceed as in the previous case, but, in 
addition, it has to guess the correct value of n and the sequence pi, . . . ,p n 
in Lines 10-15. 

Case 3. p K ,0 N Ga, for some maximal G-subformula Ga of tp that is not in the 
scope of some F-operator. 

This means that a is true everywhere on the path p. Hence, due to the 
induction hypothesis, MC{F,G},v( a i K, bi, now) has an accepting run. By ap- 
propriate guesses in Line 4, the current call of the algorithm can reach that 
accepting recursive call in Line 17. 
Case 4. p K ,0 N Ga, for some maximal G-subformula Ga of ip that is in the scope 
of some F-operator. 

By combining the arguments of Cases 3 and 2, we can find an accepting 
run for this case. 



For the "<= " direction, suppose there exists an accepting run of MC{f,g},v( ( / ? ) ^> a > now ) 
Since the algorithm is in now mode, the acceptance can only take place in Line 28 
or in the recursive call in Line 17. If the run accepts in Line 28, then there is some 
variable x such that either x G VAR (y?) and x G rj^a), or x G VAR^t/?) and the run 
guesses a path p , . . . ,p m with p = a and x G r](p m ). In both cases, each structure 
p' extending the sequence of states guessed so far, satisfies tp at a. On the other 
hand, if the run accepts in the recursive call, we can argue as in the proof of Claim 
5. ■ □ 



Unfortunately, the above argumentation fails for MC({G, X}, V) because of the 
following considerations. The NL-algorithm in the previous proof relies on the fact 
that a satisfying path for Gijj, where ip is of the form (1), can be divided into a 
"short" initial part satisfying the disjunction of the atoms, and the remaining end 
path satisfying one of the Gipi at its initial state. When guessing the initial part, it 
suffices to separately guess each state and consult i]. 

If X were in our language, the disjuncts would be of the form X ki yi and X £i G"0j. 
Not only would this make the guessing of the initial part more intricate. It would 
also require memory for processing each of the previously satisfied disjuncts X fci yj. 
An adequate modification of MC{f,g},v would require more than logarithmic space. 
We have shown NP-hardness for MC({G,X}, V) in Theorem 3.4. 

Theorem 4.5. Let L_ be a finite set of Boolean functions such that [L_] C L. Then 
MC({X},L_) is HL-complete. 
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Algorithm MC{ X },l 



Input 

<p' = x>i e ■ ■ ■ ® Wpt 

Kripke structure K = (W, R, rf) 
a€W 

Output 

accept or reject 



10 
11 



parity <— 
while k 



0; b <— a; 
< m do 



for j = 1, 
if i* 



do 



= k and pj £ then 
parity <— 1 — parity 
end if 
end for 

k^k + 1 

b «— guess some /^-successor of b 
end while 
return parity 



Table 3. The algorithm MC {X }, L 



Proof. The lower bound follows from Lemma 4.1. 

For the upper bound, let ip £ L({X},L„) be a formula, K = (W,R,r)) a 
Kripke structure, and a G W a state. Let m denote the maximal nesting depth 
of X-operators in (p. Since for any fc-ary Boolean operator / from L_, the for- 
mula Xf(ipi, . . . , ipk) is equivalent to f(Xipi, . . . X^), is equivalent to a formula 
V?' £ L({X}, L_) of the form cp' = X^pi © ■ • ■ © X ie Pe , where < ij < m for 
each j = !,...,£. It is not necessary to compute ip' all at once, because it will be 
sufficient to calculate ij each time the variable pj is encountered in the algorithm 
MC{x},l given in Table 3. 

It is easy to see that MC{x},l returns 1 if and only if tp is satisfiable. From the used 
variables, it is clear that MC{x},l runs in nondeterministic logarithmic space. □ 

In the fragment with S as the only temporal operator, S is without effect, since 
we can never leave the initial state. Hence, any formula aS(3 is satisfied at the initial 
state of any structure K if and only if j3 is. This leads to a straightforward logspace 
reduction from MC({S},BF) to MC(0,BF): Given a formula ip £ L({S},BF), suc- 
cessively replace every subformula aS(3 by f3 until all occurrences of S are eliminated. 
The resulting formula tp' is initially satisfied in any structure K iff ip is. 

Now MC(0, BF) is the Formula Value Problem, which has been shown to be 
solvable in logarithmic space in [Lyn77]. Thus we obtain the following result. 

Theorem 4.6. Let B be a finite set of Boolean functions. Then MC({S}, B) £ L. 

In our classification of complexity, which is based on logspace reductions <„ g , 
a further analysis of S-fragments is not possible. However, a more detailed picture 
emerges if stricter reductions are considered, see [Sch07, Chapter 2]. 

Theorem 4.7. Let V- be a finite set of Boolean functions such that [VI] C V. Then 
MC({S,F},V_) is HL-complete. 

Proof. The lower bound follows from Lemma 4.1. For the upper bound, we will 
show that MC({S, F}, V_) can be reduced to MC({F},V_) by disposing of the S- 
operator as follows. Consider an arbitrary Kripke structure K and a path p therein. 
Then the following equivalences hold. 
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p K ,0^aS(3 iff p K ,O\=0 (2) p , 1= F(a V (3) iff p , N Fq V F/5 (4) 
p*", N F(aS/3) iff p x , N F/3 (3) p*", t= FFa iff p x , N Fa (5) 

Statements (4) and (5) are standard properties and follow directly from the 
definition of satisfaction for F and V. Statement (2) is simply due to the fact that 
there is no state in the past of po- As for (3), we consider both directions separately. 
Assume that p K , N F(aS/3). Then there is some i > such that p K , i t= aS/3. This 
implies that there is some j with < j < i and p K , j t= (3. Hence, p K , N F/3. For 
the other direction, let p^,0 t= F/3. Then there is some i > such that p x ,i t= /?. 
This implies p K , i N aS/3. Hence, p K , N F(aS/3). 

Now consider an arbitrary formula tp G L({S, F},\^_). Let y?' be the formula 
obtained from </? by successively replacing the outermost S-subformula aS(3 by /9 until 
all occurrences of S are eliminated. This procedure can be performed in logarithmic 
space, and the result cp' is in L({F}, V-). Due to (2)-(5), for any path p in any Kripke 
structure K, it holds that p K ,0 \= ip if and only if p K ,0 N y/. Hence, the mapping 
(p ■-»• v?' is a logspace reduction from MC({S, F}, F_) to MC({F}, □ 



5 Conclusion, and open problems: the ugly fragments 

We have almost completely separated the model-checking problem for Linear Tem- 
poral Logic with respect to arbitrary combinations of temporal and propositional 
operators into tractable and intractable cases. We have shown that all tractable 
MC problems are at most NL-complete or even easier to solve. This exhibits a sur- 
prisingly large gap in complexity between tractable and intractable cases. The only 
fragments that we have not been able to cover by our classification are those where 
only the binary xor-operator is allowed. However, it is not for the first time that this 
constellation has been difficult to handle, see [BHSS06, BSS + 07]. Therefore, these 
fragments can justifiably be called ugly. 

The borderline between tractable and intractable fragments is somewhat diffuse 
among all sets of temporal operators without U. On the one hand, this borderline 
is not determined by a single set of propositional operators (which is the case for 
the satisfiability problem, see [BSS + 07]). On the other hand, the columns E and 
V do not, as one might expect, behave dually. For instance, while MC({G},V) is 
tractable, MC({F}, E) is not — although F and G are dual, and so are V and E. 

Further work should find a way to handle the open xor cases from this paper 
as well as from [BHSS06, BSS + 07]. In addition, the precise complexity of all hard 
fragments not in bold-face type in Table 1 could be determined. Furthermore, we find 
it a promising perspective to use our approach for obtaining a fine-grained analysis 
of the model-checking problem for more expressive logics, such as CTL, CTL*, and 
hybrid temporal logics. 
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A Known Facts from Graph Theory 

Lemma A.l. The following problem is NL-hard. Given a directed graph G = (V, E) 
and a node a £ V , is there an infinite path in G starting at a? 

Proof. We reduce from the graph accessibility problem (GAP), which is defined as 
follows. Given a directed graph G = (V, E) and two nodes a, b £ V, is there a path 
in G from a to bl This problem is known to be NL-complete [Sav73]. 

For the reduction, consider an arbitrary instance (G, a, b) of GAP, where G = 
(V, E) and a, b £ V. Let \V\ = n. We transform G into a new graph G' that consists 
of n "layers" each of which contains a copy of the nodes from V. Whenever there is 
an edge from node v to node w in G, the new graph G' will have edges from each 
copy of v to the copy of w on the next layer. This destroys all cycles from G. Now 
we add an edge from each copy of b to the first copy of a. 

More formally, transform (G,a,b) into (G',0 1 ), where G' = (V',E') with 

V' = {v* | v £ V and 1 < i < n}, 

E' = {(v\ w i+1 ) | (v, w) £ E and 1 < i < n} U {(&', a 1 ) | 1 < i < n}. 

It is easy to see that this transformation is a logspace reduction. Let the size 
of a graph be determined by the size of its adjacency matrix. Hence G has size n 2 , 
and G' is of size n 4 . Apart from the representation of G', the only space required 
by the described transformation is spent for four counters that take values between 
1 and n. With their help, each bit of the new adjacency matrix is set according to 
the definition of E', where only a look-up in the old adjacency matrix is required. 

It remains to prove the following claim. 

Claim 7. For each directed graph G = (V, E) and each pair of nodes a, b £ V, 
there exists a path in G from a to b if and only if there exists an infinite path in G' 
starting at a 1 . 

Proof of Claim 7. "=^>". Suppose there is a path in G from a to b. W.l.o.g. we 

can assume that no node occurs more than once on this path, a and b included. 
Hence there exist nodes c\, . . . ,c m £ V with m < n such that c\ = a, c m = b, and 
for each i = 1, . . . ,n — 1, (q, c i+ i) £ E. Due to its construction, G' has the cycle 
(c\, c 2 ,, . . . , c™, a 1 ) that contains a . Hence G' has an infinite path starting at a 1 . 

. Suppose there is an infinite path p in G' starting at a 1 . Since G' is finite, some 
node must occur infinitely often on p. This, together with the layer-wise construction 
of G', implies that there are infinitely many nodes of layer 1 on p. Among layer-1 
nodes, only a 1 has ingoing edges. Hence a 1 must occur infinitely often on p. Now 
the path from some occurrence of a 1 to the next is a cycle, where the predecessor 
node of a 1 must be some b m . This implies that there is a path in G' from a 1 to b m . 
Due to the construction of G', this corresponds to a path in G from a to b. ■ □ 
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